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DETAILED ACTION 
Claim Rejections - 35 USC §103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 1-20 and 23-24 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Reid et al (6,182,226 Bl) in view of Ray et al (6,587,455 Bl). 

In reference to claim l f Reid discloses a method of selectively enforcing a security policy 
in a network, the method comprising the computer- implemented steps of creating and storing one 
or more access controls in a policy enforcement point device that controls access of clients to the 
network, wherein each of the access controls specifies that a named abstract group is allowed 
access to a particular resource (column 4 line 49 to column 5 line 25). The regions defined by 
Reid are created and stored in the firewall where it applies rules to the incoming packets (column 
3 line 65 to column 4 line 10); therefore controlling access on opposite sides of the gateway. 
The packets on opposite sides of the firewall are permitted to pass from the policy enforcement 
point (firewall) into the network only if the network address is in the named group identified in 
one of the access controls that specifies that the named group is allowed access to the network 
(column 6 lines 21-31). The user in the system disclosed by Reid is an authenticated device 
(column 8 lines 40-59). 

Reid does not disclose receiving, from an external binding process, a binding of a 
network address; updating the named group to include the bound network address. 
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Ray discloses a method for allocation of a network address associated with a virtual 
subnet. The address server disclosed by Ray sends the network device an assigned network 
address, assigned by the address server and therefore assigned from an external binding process 
(column4 line 65 to column 5 line 31). The firewall saves the network address (column 6 line 66 
to column 7 line 6) and therefore updates the group to include the new IP address. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to automatically add nodes to the group as disclosed by Ray in the system of Reid. 
One of ordinary skill in the art would have been motivated to do this because when a network 
device initially connects to a network the device seeks an address server from which to request a 
network address, when done by the network administrator, it is a time consuming task, 
performing the task automatically saves time. 

In reference to claim 7, Reid discloses a method of selectively enforcing a security policy 
in a network, the method comprising the computer-implemented steps of: creating and storing 
one or more definitions of abstract groups that are authorized to use protected resources 
(services) of the network, wherein each of the definitions of abstract groups includes an abstract 
group name and a list of one or more network addresses of authorized users of the protected 
resources (column 5 lines 8-25 in combination with column 6 lines 22-31). Creating and storing 
one or more access controls in a policy enforcement point device that controls access of clients to 
the network, wherein each of the access controls specifies that a named abstract group is allowed 
access to a particular resource (column 5 lines 5-25 in combination with lines 33-57). The 
firewall controls access to services (resources) for every region (group) the access is defined in 
the firewall and therefore created and stored there. Steps further comprise determining whether 
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the network address of the authenticated user is in one of the lists of one of the named abstract 
groups (column 6 lines 22-3 1); and permitting a packet flow originating from the network 
address to pass from the policy enforcement point into the network only if the network address is 
in the named abstract group identified in one of the access controls that specifies that the named 
group is allowed access to the network (column 5 lines 34-50). The firewall protects every 
region from every other region; therefore the firewall must check that the network address is in 
the named abstract group. The access controls are used to define permissions of use and 
therefore identify that the named group is allowed access to the network. 

Reid does not disclose receiving a binding of a network address. 

Ray discloses a method for allocation of a network address associated with a virtual 
subnet. The address server disclosed by Ray sends the network device an assigned network 
address, receives the address of the new network device (column4 line 65 to column 5 line 31). 
The firewall saves the network address (column 6 line 66 to column 7 line 6) and therefore 
updates the group to include the new IP address. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to automatically add nodes to the group as disclosed by Ray in the system of Reid. 
One of ordinary skill in the art would have been motivated to do this because when a network 
device initially connects to a network the device seeks an address server from which to request a 
network address, when done by the network administrator, it is a time consuming task, 
performing the task automatically saves time. 

In reference to claims 13, 19, and 20, Reid discloses a method of selectively enforcing a 
security policy in a network, the method comprising the computer-implemented steps of creating 
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and storing one or more access controls in a policy enforcement point device that controls access 
of clients to the network, wherein each of the access controls specifies that a named abstract 
group is allowed access to a particular resource (column 4 line 49 to column 5 line 25). The 
regions defined by Reid are created and stored in the firewall where it applies rules to the 
incoming packets (column 3 line 65 to column 4 line 10); therefore controlling access on 
opposite sides of the gateway. The packets on opposite sides of the firewall are permitted to pass 
from the policy enforcement point (firewall) into the network only if the network address is in 
the named group identified in one of the access controls that specifies that the named group is 
allowed access to the network (column 6 lines 21-3 1). The user in the system disclosed by Reid 
is an authenticated device (column 8 lines 40-59). 

Reid does not disclose receiving, from an external binding process, a binding of a 
network address; updating the named group to include the bound network address. 

Ray discloses a method for allocation of a network address associated with a virtual 
subnet. The address server disclosed by Ray sends the network device an assigned network 
address, receives the address of the new network device (column4 line 65 to column 5 line 31). 
The firewall saves the network address (column 6 line 66 to column 7 line 6) and therefore 
updates the group to include the new IP address. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to automatically add nodes to the group as disclosed by Ray in the system of Reid. 
One of ordinary skill in the art would have been motivated to do this because when a network 
device initially connects to a network the device seeks an address server from which to request a 
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network address, when done by the network administrator, it is a time consuming task, 
performing the task automatically saves time. 

In reference to claim 24, Reid discloses a method of selectively enforcing a security 
policy in a network, the method comprising the computer-implemented steps of creating and 
storing one or more access control list entries in a network router that acts as a policy 
enforcement point device and that controls access of clients to the network, wherein each of the 
access control list entries specifies that a named group of users is allowed or refused access to a 
particular network resource (column 4 line 49 to column 5 line 25). Reid also creates and stores 
one or more definitions of the named groups in a data store that is accessible by the network 
router (column 3 line 65 to column 4 line 10). The method disclosed by Reid protects the flow 
of traffic from every region to every other region (column 5 lines 34-50) thereby permitting a 
packet flow originating from the bound network address to pass from the policy enforcement 
point into the network only if the bound network address is in the named group identified in one 
of the access control list entries that specifies that the named group is allowed access to the 
network. Regarding determining that the user has discontinued use of the client, and deleting the 
network address to which the user is bound from each named group of each policy enforcement 
point of the network (Reid column 15 lines 29-49). Reid discloses a function that is used to 
modify and delete regions, this would include when a user has discontinued use of the client. 

Reid does not disclose receiving, from an external process that can bind a user to a 
specific network address, a binding of a network address; updating the named group to include 
the bound network address; distributing the network address 
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Ray discloses a method for allocation of a network address associated with a virtual 
subnet. The address server disclosed by Ray sends the network device an assigned network 
address, assigned by the address server and therefore assigned from an external binding process 
(column4 line 65 to column 5 line 31). The firewall saves the network address (column 6 line 66 
to column 7 line 6) and therefore updates the group to include the new IP address. Ray discloses 
a system in which the network address is distributed to other nodes including policy enforcement 
points (firewalls/gateway server) (column 6 lines 4-10 in combination with line 66 to column 7 
line 6). The address server also sends the address of the network device to the device in the 
subnet (group); the address is information identifying the group that the network device belongs 
to because it is only sent to the devices in the subnet. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to automatically add nodes to the group as disclosed by Ray in the system of Reid. 
One of ordinary skill in the art would have been motivated to do this because when a network 
device initially connects to a network the device seeks an address server from which to request a 
network address, when done by the network administrator, it is a time consuming task, 
performing the task automatically saves time. 

In reference to claims 2, 8, and 14, wherein the access control point (firewall) contains 
definitions of groups and resources (service) as shown below. Definitions of groups are created 
and stored in the firewall (column 5 lines 14-25). Definitions of resources (services) are stored 
in the firewall/gateway ( column 5 lines 33-49). Creating and storing one or more access 
controls at the policy enforcement point, wherein each of the access controls specifies that a 
named group is allowed access to a particular resource (service) (column 5 lines 8-25 in 
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combination with lines 34-49). Reid indicates that the groups (regions) are named (column 5 
lines 14-24) and stored in the firewall, since Reid discloses the access definition is stored in the 
firewall (column 5 lines 33-36). One of the access controls specifies that all other traffic is 
denied access to the network (column 5 lines 37-38). The regions can only communicate with 
each other if there exists an appropriate access rule. The system does not allow traffic to pass 
directly through (column 5 lines 44-46); therefore all other traffic is denied access to the 
network. 

In reference to claims 3, 9, and 75, Reid does not disclose the steps of distributing the 
network address of the user and information identifying one or more groups of which the 
authenticated user is a member to all policy enforcement points of a protected network that the 
user seeks to access. 

Ray discloses a system in which the network address is distributed to other nodes 
including policy enforcement points (firewalls/gateway server) (column 6 lines 4-10 in 
combination with line 66 to column 7 line 6). The address server also sends the address of the 
network device to the device in the subnet (group); the address is information identifying the 
group that the network device belongs to because it is only sent to the devices in the subnet. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to distribute the address of the user and the information identifying the group of 
which the authenticated user is a member as shown in the system disclosed by Ray in the system 
of Reid. One of ordinary skill in the art would have been motivated to do this because firewall 
controls the information that passes between the external and internal network and therefore 
requires knowledge of which devices are in the networks. 
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In reference to claims 4, 10, and 16, although Reid discloses the policy enforcement 
points (firewall) that define a security zone that encompasses the user (Figure 1; Secure Zone), 
Reid does not disclose the steps of distributing the network address of the user and information 
identifying one or more groups of which the authenticated user is a member to all policy 
enforcement points of a protected network that the user seeks to access. 

Ray discloses a system in which the network address is distributed to other nodes 
including policy enforcement points (firewalls/gateway server) (column 6 lines 4-10 in 
combination with line 66 to column 7 line 6). The address server also sends the address of the 
network device to the device in the subnet (group); the address is information identifying the 
group that the network device belongs to because it is only sent to the devices in the subnet. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to distribute the address of the user and the information identifying the group of 
which the authenticated user is a member as shown in the system disclosed by Ray in the system 
of Reid. One of ordinary skill in the art would have been motivated to do this because firewall 
controls the information that passes between the external and internal network and therefore 
requires knowledge of which devices are in the networks. 

In reference to claims 5 and 11, Reid does not disclose the policy enforcement point 
receiving an Internet Protocol (IP) address for the user from a network address binding resolution 
(NABR) process. 

Ray discloses the firewall (policy enforcement point) receiving the IP address from the 
network device (NABR process; column 6 line 66 to column 7 line 7). 
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At the time the invention was made, it would have been obvious to a person of ordinary skill in 
the art to distribute the address of the user and the information identifying the group of which the 
authenticated user is a member as shown in the system disclosed by Ray in the system of Reid. 
One of ordinary skill in the art would have been motivated to do this because firewall controls 
the information that passes between the external and internal network and therefore requires 
knowledge of which devices are in the networks. 

In reference to claims 6, 12, and 75, further comprising the steps of determining that the 
user has discontinued use of the client, and deleting the network address to which the user is 
bound from each named group of each policy enforcement point of the network (Reid column 1 5 
lines 29-49). Reid discloses a function that is used to modify and delete regions, this would 
include when a user has discontinued use of the client. 

In reference to claim 23, Reid discloses a method of selectively enforcing a security 
policy in a network, the method comprising the computer-implemented steps of creating and 
storing one or more access control list entries in a network router that acts as a policy 
enforcement point device and that controls access of clients to the network, wherein each of the 
access control list entries specifies that a named group of users is allowed or refused access to a 
particular network resource (column 4 line 49 to column 5 line 25). Reid teaches that the 
firewall is the policy enforcement point (system which enforces a security policy) and is 
developed on the model of a screening router (column 1 lines 22-26). Therefore the router in the 
system disclosed by Reid acts as a policy enforcement point. Reid also teaches creating and 
storing one or more definitions of the named groups in a data store that is accessible by the 
network router (column 6 lines 21-3 1). The user in the system disclosed by Reid is an 
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authenticated device (column 8 lines 40-59). The method disclosed by Reid protects the flow of 
traffic from every region to every other region (column 5 lines 34-50) thereby permitting a 
packet flow originating from the bound network address to pass from the policy enforcement 
point into the network only if the bound network address is in the named group identified in one 
of the access control list entries that specifies that the named group is allowed access to the 
network. 

Reid does not disclose receiving from an external process that can bind a user to a 
specific network address, a binding of a network address and updating the named group to 
include the bound network address 

Ray discloses a method for allocation of a network address associated with a virtual 
subnet. The address server disclosed by Ray sends the network device an assigned network 
address, assigned by the address server and therefore assigned from an external binding process 
(column4 line 65 to column 5 line 31). The firewall saves the network address (column 6 line 66 
to column 7 line 6) and therefore updates the group to included the new IP address. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to automatically add nodes to the group as disclosed by Ray in the system of Reid. 
One of ordinary skill in the art would have been motivated to do this because when a network 
device initially connects to a network the device seeks an address server from which to request a 
network address, when done by the network administrator, it is a time consuming task, 
performing the task automatically saves time. 

In reference of claim 17, regarding computer-readable medium wherein the instructions 
for carrying out the steps of receiving a binding of a network address to an authenticated user of 
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a client for which the policy enforcement point controls access to the network comprise 
instructions for carrying out the steps of performing network address binding resolution for the 
user. 

Reid does not disclose steps for performing network address binding resolution for the 

user. 

Ray discloses a method for allocation of a network address associated with a virtual 
subnet. The address server disclosed by Ray sends the network device an assigned network 
address, assigned by the address server and therefore assigned from an external binding process 
(column4 line 65 to column 5 line 31). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to automatically add nodes to the group as disclosed by Ray in the system of Reid. 
One of ordinary skill in the art would have been motivated to do this because when a network 
device initially connects to a network the device seeks an address server from which to request a 
network address, when done by the network administrator, it is a time consuming task, 
performing the task automatically saves time. 

Claim 21 is rejected under 35 U.S.C. 103(a) as being unpatentable over Reid and Ray as 
applied to claim 1 above, and further in view of the article by Stewart. 

Regarding the steps of receiving a binding of a network address to an authenticated user 
of a client for which the policy enforcement point controls access to the network comprises the 
steps of receiving an Internet Protocol (IP) address for the user from an ASAP protocol process. 

Ray does not disclose a system receiving an Internet Protocol (IP) address for the user 
from an ASAP protocol process. 
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Stewart teaches the use of ASAP protocol for delivering messages (section 1.3). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to ASAP as taught by Stewart in the system disclosed by Ray. One of ordinary 
skill in the art would have been motivated to do this because ASAP provides s high availability 
data transfer mechanism over IP network. 

Claim 22 is rejected under 35 U.S.C. 103(a) as being unpatentable over Reid and Ray as 
applied to claim 1 above, and further in view of the Stevens. 

Regarding the steps of receiving a binding of a network address to an authenticated user 
of a client for which the policy enforcement point controls access to the network comprises the 
steps of receiving an Internet Protocol (IP) address for the user from a DNS process. 

Ray does not disclose a system for allocation of network address from a DNS process. 

Stevens teaches the use of the DNS process to provide a protocol to allow clients and 
servers to communicate with each other by mapping hostnames and IP addresses. 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use DNS as taught by Stevens in the name server disclosed by Ray. One of 
ordinary skill in the art would have been motivated to do this because DNS is a well known 
method of providing routing information; therefore other systems would be compatible with this 
system. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Paula W Klimach whose telephone number is (703) 305-8421. 
The examiner can normally be reached on Mon to Thu 9:30 a.m to 5:30 p.m. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (703) 305-4393. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

PWK 

Saturday, May 15, 2004 
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